[clug] Lists of attacl URL / simple attack signatures...

Red Phoenix intersect at gmail.com
Thu Aug 25 04:43:41 GMT 2005


The nikto scan database might help you a little - it's taken over from
'whisker' as the prime vulnerability scanner for web stuff:
http://www.cirt.net/nikto/UPDATES/1.35/scan_database.db

It probably woudn't be too horrible to write a brute force scanner of
your web logs using perl, something like 'strstr' & perl arrays...

eg: (excuse the pseudo code)

open DB "blah.db";
while($line=<DB>) {
   $match[]=split on the ", grab the second column
}

while($line = <STDIN>) {
   foreach(@match as $item) {
      if(strstr($item, $line)) {
        print "match: $item - $line\n";
        break;
      }
}

As I mentioned.. pseudo-code only (eg: perl doesn't actually have
strstr, from memory), and it would take a fair while to run through
each log... but might help a bit.

Regards,

Leigh.


On 8/25/05, Antony Wuth <foobie at gmail.com> wrote:
> Hi all,
> 
> I was wondering if anyone has a list of relatively up to date attack URL's /
> signatures (or knows of where one is maintained). At this stage I am looking
> at running through my Apache logs and at least getting a handle on how many
> potential attacks appear before working out if it's worth the effort to try
> more comprehensive / painful logging / traffic monitoring type activities.
> 
> Thanks
> Antony.
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>


More information about the linux mailing list